array(), 'values' => array() ); // Check if sponsor already exists foreach ($POST as $k=>$v) { if (!(array_search($k, $SKIPPED) > -1)) { // Check only posted input entries not the submit button switch ($k) { case "email": $ALREADY = false; if (!VALIDATE_EMAIL($v)) { // Email address is not valid $SAVE = false; } else { // Do we want to add a new sponsor or update his data? $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_sponsor_data WHERE email='%s' LIMIT 1", array($POST['email']), __FILE__, __LINE__); // Is a sponsor alread in the db? if (SQL_NUMROWS($result) == 1) { // Free memory SQL_FREERESULT($result); // Yes, he is! if (($_GET['what'] == "add_sponsor") || ($NO_UPDATE)) { // Already found! $ALREADY = true; } else { // Update his data $UPDATE = true; } } } break; case "pass1": $k = ""; $v = ""; break; case "pass2": $k = "password"; $v = md5($v); break; case "url": if (!VALIDATE_URL($v)) $SAVE = false; break; default: // Test if there is are time selections $TEST = substr($k, -3); if ((($TEST == "_ye") || ($TEST == "_mo") || ($TEST == "_we") || ($TEST == "_da") || ($TEST == "_ho") || ($TEST == "_mi") || ($TEST == "_se")) && (!empty($v))) { // Found a multi-selection for timings? $TEST = substr($k, 0, -3); if ((!empty($POST[$TEST."_ye"])) && (!empty($POST[$TEST."_mo"])) && (!empty($POST[$TEST."_we"])) && (!empty($POST[$TEST."_da"])) && (!empty($POST[$TEST."_ho"])) && (!empty($POST[$TEST."_mi"])) && (!empty($POST[$TEST."_se"])) && ($TEST != $TEST2)) { // Generate timestamp $POST[$TEST] = CREATE_TIMESTAMP_FROM_SELECTIONS($TEST, $POST); $DATA['keys'][] = $TEST; $DATA['values'][] = $POST[$TEST]; // Remove data from array unset($POST[$TEST."_ye"]); unset($POST[$TEST."_mo"]); unset($POST[$TEST."_we"]); unset($POST[$TEST."_da"]); unset($POST[$TEST."_ho"]); unset($POST[$TEST."_mi"]); unset($POST[$TEST."_se"]); // Skip adding $k = ""; $skip = true; $TEST2 = $TEST; } } else { $skip = false; $TEST2 = ""; } break; } if ((!empty($k)) && ($skip == false)) { // Add data $DATA['keys'][] = $k; $DATA['values'][] = $v; } } } // Save sponsor? if ($SAVE) { // Default is no force even when a guest want to abuse this force switch if ((empty($POST['force'])) || (!IS_ADMIN())) $POST['force'] = "0"; // SQL and message string is empty by default $SQL = ""; $MSG = ""; // Update? if ($UPDATE) { // Update his data $SQL = "UPDATE "._MYSQL_PREFIX."_sponsor_data SET "; foreach ($DATA['keys'] as $k=>$v) { $SQL .= $v."='%s', "; } // Remove last ", " from SQL string $SQL = substr($SQL, 0, -2)." WHERE id='%s' LIMIT 1"; $DATA['values'][] = bigintval($_GET['id']); // Generate message $MSG = SPONSOR_SET_MESSAGE(ADMIN_SPONSOR_UPDATED, "updated", $MSGs); $ret = "updated"; } elseif ((!$ALREADY) || (($POST['force'] == "1") && (IS_ADMIN()))) { // Add new sponsor, first add more data $DATA['keys'][] = "sponsor_created"; $DATA['values'][] = time(); $DATA['keys'][] = "status"; if ((!$NO_UPDATE) && (IS_ADMIN()) && ($_GET['what'] == "add_sponsor")) { // Only allowed for admin $DATA['values'][] = "PENDING"; } else { // Guest area $DATA['values'][] = "UNCONFIRMED"; // Generate hash code $DATA['keys'][] = "hash"; $DATA['values'][] = md5($_COOKIE['PHPSESSID'].":".$POST['email'].":".$_SERVER['REMOTE_ADDR'].":".$_SERVER['HTTP_USER_AGENT'].":".time()); $DATA['keys'][] = "remote_addr"; $DATA['values'][] = $_SERVER['REMOTE_ADDR']; } // Implode all data into strings $KEYS = implode(", " , $DATA['keys']); $VALUES = str_repeat("%s', '", count($DATA['values']) - 1); // Generate string $SQL = "INSERT INTO "._MYSQL_PREFIX."_sponsor_data (".$KEYS.") VALUES('".$VALUES."%s')"; // Generate message $MSG = SPONSOR_SET_MESSAGE(ADMIN_SPONSOR_ADDED, "added", $MSGs); $ret = "added"; } elseif ((!$NO_UPDATE) && (IS_ADMIN())) { // Add all data as hidden data $OUT = ""; foreach ($POST as $k=>$v) { // Do not add 'force' ! if ($k != "force") { $OUT .= "\n"; } } define('__HIDDEN_DATA', $OUT); define('__EMAIL' , $POST['email']); // Ask for adding a sponsor with same email address LOAD_TEMPLATE("admin_add_sponsor_already"); return; } else { // Already added! $MSG = SPONSOR_ALREADY_FOUND_1.$POST['email'].SPONSOR_ALREADY_FOUND_2; $ret = "already"; } if (!empty($SQL)) { // Run SQL command $result = SQL_QUERY_ESC($SQL, $DATA['values'], __FILE__, __LINE__); } // Output message if ((!$NO_UPDATE) && (IS_ADMIN())) { LOAD_TEMPLATE("admin_settings_saved", false, $MSG); } } else { // Error found! $MSG = SPONSOR_SET_MESSAGE(SPONSOR_DATA_NOT_SAVED, "failed", $MSGs); LOAD_TEMPLATE("admin_settings_saved", false, $MSG); } // Shall we return the status? if ($RET_STATUS) return $ret; } // function SPONSOR_TRANSLATE_STATUS($status) { switch ($status) { case "UNCONFIRMED": $ret = ACCOUNT_UNCONFIRMED; break; case "CONFIRMED": $ret = ACCOUNT_CONFIRMED; break; case "LOCKED": $ret = ACCOUNT_LOCKED; break; case "PENDING": $ret = ACCOUNT_PENDING; break; case "EMAIL": $ret = ACCOUNT_EMAIL; break; default: $ret = UNKNOWN_STATUS_1.$status.UNKNOWN_STATUS_2; break; } return $ret; } // Search for an email address in the database function SPONSOR_FOUND_EMAIL_DB($email) { // Default status is failed (as it is always be...) $ret = false; // Check for email (and secure input) $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_sponsor_data WHERE email='%s' LIMIT 1", array($email), __FILE__, __LINE__); // Do we already have the provided email address in our DB? if (SQL_NUMROWS($result) == 1) $ret = true; // Return result return $ret; } // function SPONSOR_SET_MESSAGE($msg, $pos, $array) { // Check if the requested message was found in array if (isset($array[$pos])) { // ... if yes then use it! $ret = $array[$pos]; } else { // ... else use default message $ret = $msg; } // Return result return $ret; } // function IS_SPONSOR() { global $_COOKIE; // Failed... $ret = false; if ((!empty($_COOKIE['sponsorid'])) && (!empty($_COOKIE['sponsorpass']))) { // Check cookies against database records... $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_sponsor_data WHERE id='%s' AND password='%s' AND status='CONFIRMED' LIMIT 1", array(bigintval($_COOKIE['sponsorid']), $_COOKIE['sponsorpass']), __FILE__, __LINE__); if (SQL_NUMROWS($result) == 1) { // All is fine $ret = true; } // Free memory SQL_FREERESULT($result); } // Return status return $ret; } // function GENERATE_SPONSOR_MENU($current) { $OUT = ""; $WHERE = " AND active='Y'"; if (IS_ADMIN()) $WHERE = ""; // Load main menu entries $result_main = SQL_QUERY("SELECT action, title FROM "._MYSQL_PREFIX."_sponsor_menu WHERE (what='' OR what IS NULL) ".$WHERE." ORDER BY sort", __FILE__, __LINE__); if (SQL_NUMROWS($result_main) > 0) { // Load every menu and it's sub menus while(list($action, $title_main) = SQL_FETCHROW($result_main)) { // Load sub menus $result_sub = SQL_QUERY_ESC("SELECT what, title FROM "._MYSQL_PREFIX."_sponsor_menu WHERE action='%s' AND what != '' ".$WHERE." ORDER BY sort", array($action), __FILE__, __LINE__); if (SQL_NUMROWS($result_sub) > 0) { // Load sub menus $SUB = ""; while(list($what, $title_sub) = SQL_FETCHROW($result_sub)) { // Check if current selected menu is matching the loaded one if ($current == $what) $title_sub = "".$title_sub.""; // Prepare data for the sub template $content = array( 'what' => $what, 'title' => $title_sub ); // Load row template $SUB .= LOAD_TEMPLATE("sponsor_what", true, $content); } // Prepare data for the main template $content = array( 'title' => $title_main, 'menu' => $SUB ); // Load menu template $OUT .= LOAD_TEMPLATE("sponsor_action", true, $content); } else { // No sub menus active $OUT .= LOAD_TEMPLATE("admin_settings_saved", true, SPONSOR_NO_SUB_MENUS_ACTIVE); } // Free memory SQL_FREERESULT($result_sub); } } else { // No main menus active $OUT .= LOAD_TEMPLATE("admin_settings_saved", true, SPONSOR_NO_MAIN_MENUS_ACTIVE); } // Free memory SQL_FREERESULT($result_main); // Return content return $OUT; } // function GENERATE_SPONSOR_CONTENT($what) { global $HTTP_POST_VARS, $_GET, $CONFIG; $OUT = ""; $FILE = sprintf("%sinc/modules/sponsor/%s.php", PATH, $what); if ((file_exists($FILE)) && (is_readable($FILE))) { // Every sponsor action will output nothing directly. It will be written into $OUT! require_once($FILE); } else { // File not found! $OUT .= LOAD_TEMPLATE("admin_settings_saved", true, SPONSOR_CONTENT_404_1.$what.SPONSOR_CONTENT_404_2); } // Return content return $OUT; } // function UPDATE_SPONSOR_LOGIN() { global $_COOKIE, $CONFIG; // Check if cookies are set if ((empty($_COOKIE['sponsorid'])) || (empty($_COOKIE['sponsorpass']))) return false; // Calculate cookie lifetime, maybe we have to change this so the admin can setup a // seperate timeout for these two cookies? $life = (time() + $CONFIG['online_timeout']); // Is confirmed so both is fine and we can continue with login procedure $login = ((setcookie("sponsorid" , bigintval($_COOKIE['sponsorid']), $life, COOKIE_PATH)) && (setcookie("sponsorpass", $_COOKIE['sponsorpass'] , $life, COOKIE_PATH))); // Update database? if ($login) { // Update last online timestamp $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_sponsor_data SET last_online='".time()."' WHERE id='%s' AND password='%s' LIMIT 1", array(bigintval($_COOKIE['sponsorid']), $_COOKIE['sponsorpass']), __FILE__, __LINE__); } // Return status return $login; } // function SPONSOR_SAVE_DATA($POST, $content) { global $_COOKIE, $_SERVER, $_GET; $EMAIL = false; // Unsecure data which we don't want $UNSAFE = array('password', 'id', 'remote_addr', 'sponsor_created', 'last_online', 'status', 'ref_count', 'points_amount', 'points_used', 'refid', 'hash' , 'last_pay', 'last_curr', 'pass_old', 'ok', 'pass1', 'pass2'); // Set default message ("not saved") $MSG = SPONSOR_ACCOUNT_DATA_NOT_SAVED; // Check for submitted passwords if ((!empty($HTTP_POST_VARS['pass1'])) && (!empty($HTTP_POST_VARS['pass2']))) { // Are both passwords the same? if ($HTTP_POST_VARS['pass1'] == $HTTP_POST_VARS['pass2']) { // Okay, then set password and remove pass1 and pass2 $HTTP_POST_VARS['password'] = md5($HTTP_POST_VARS['pass1']); } } // Remove all (maybe spoofed) unsafe data from array foreach ($UNSAFE as $remove) { unset($POST[$remove]); } // This array is for the submitted data which we will use with the SQL_QUERY_ESC() function to // secure the data $DATA = array(); // Prepare SQL string $SQL = "UPDATE "._MYSQL_PREFIX."_sponsor_data SET"; foreach ($POST as $key=>$value) { // Mmmmm, too less security here??? $SQL .= " ".strip_tags($key)."='%s',"; // We will secure this later inside the SQL_QUERY_ESC() function $DATA[] = strip_tags($value); // Compile {SLASH} and so on for the email templates $POST[$key] = COMPILE_CODE($value); } // Check if email has changed if ((!empty($content['email'])) && (!empty($POST['email']))) { if ($content['email'] != $POST['email']) { // Change email address $EMAIL = true; // Okay, has changed then add status with UNCONFIRMED and new hash code $SQL .= " status='EMAIL', hash='%s',"; // Generate hash code $HASH = md5($_COOKIE['PHPSESSID'].":".$POST['email'].":".$_SERVER['REMOTE_ADDR'].":".$_SERVER['HTTP_USER_AGENT'].":".time()); $DATA[] = $HASH; } } // Remove last commata $SQL = substr($SQL, 0, -1); // Add SQL tail data $SQL .= " WHERE id='%s' AND password='%s' LIMIT 1"; $DATA[] = bigintval($_COOKIE['sponsorid']); $DATA[] = $_COOKIE['sponsorpass']; // Saving data was completed... ufff... switch ($_GET['what']) { case "account": // Change account data if ($EMAIL) { $MSG = SPONSOR_ACCOUNT_EMAIL_CHANGED; $templ = "admin_sponsor_change_email"; $subj = ADMIN_SPONSOR_ACC_EMAIL_SUBJ; } else { $MSG = SPONSOR_ACCOUNT_DATA_SAVED; $templ = "admin_sponsor_change_data"; $subj = ADMIN_SPONSOR_ACC_DATA_SUBJ; } break; case "settings": // Change settings // Translate some data $content['receive'] = TRANSLATE_YESNO($content['receive_warnings']); $content['interval'] = CREATE_FANCY_TIME($content['warning_interval']); // Set message template and subject for admin $MSG = SPONSOR_SETTINGS_SAVED; $templ = "admin_sponsor_settings"; $subj = ADMIN_SPONSOR_SETTINGS_SUBJ; break; default: // Unknown sponsor what value! $MSG = SPONSOR_UNKNOWN_WHAT_1.$_GET['what'].SPONSOR_UNKNOWN_WHAT_2; $templ = ""; $subj = ""; break; } if (SQL_AFFECTEDROWS() == 1) { if (!empty($templ) && !empty($subj)) { // Run SQL command and check for success $result = SQL_QUERY_ESC($SQL, $DATA, __FILE__, __LINE__); // Add all data to content global $DATA; $DATA = $POST; // Change some data if (isset($content['salut'])) $content['salut'] = TRANSLATE_SEX($content['salut']); if (isset($DATA['salut'])) $DATA['salut'] = TRANSLATE_SEX($DATA['salut']); if (isset($content['receive_warnings'])) $DATA['receive'] = TRANSLATE_YESNO($POST['receive_warnings']); if (isset($content['warning_interval'])) $DATA['interval'] = CREATE_FANCY_TIME($POST['warning_interval']); // Send email to admins SEND_ADMIN_NOTIFICATION($subj, $templ, $content); // Shall we send mail to the sponsor's new email address? if ($content['receive_warnings'] == "Y") { // Okay send email with confirmation link to new address and with no confirmation link // to the old address // First to old address switch ($_GET['what']) { case "account": // Change account data $email_msg = LOAD_EMAIL_TEMPLATE("sponsor_change_data", $content); SEND_EMAIL($content['email'], SPONSOR_ACC_DATA_SUBJ, $email_msg); if ($EMAIL) { // Add hash code to content array $content['hash'] = $HASH; // Second mail goes to the new address $email_msg = LOAD_EMAIL_TEMPLATE("sponsor_change_email", $content); SEND_EMAIL($content['email'], SPONSOR_ACC_EMAIL_SUBJ, $email_msg); } break; case "settings": // Change settings // Send email $email_msg = LOAD_EMAIL_TEMPLATE("sponsor_settings", $content); SEND_EMAIL($content['email'], SPONSOR_SETTINGS_SUBJ, $email_msg); break; } } } } // Return final message return $MSG; } // ?>